Hi,
I received a report on Vim crashing on the MacVim issue tracker [1]
and since I could reproduce the problem I decided to try to track it
down.
The problem is a NULL point access in plines_win_col(), specifically the call
s = ml_get_buf(wp->w_buffer, lnum, FALSE);
is done when w_buffer is NULL and ml_get_buf() assumes its first
parameter to be non-NULL.
I did a git-bisect and found that the following commit introduced the problem:
updated for version 7.3.306
Problem: When closing a window there is a chance that deleting
a scrollbar
triggers a GUI resize, which uses the window while it is not in a
valid state.
Solution: Set the buffer pointer to NULL to be able to detect the invalid
situation. Fix a few places that used the buffer pointer
incorrectly.
My take on this is that this commit is very dangerous. Some places in
the code (like the one above) assumes that wp->w_buffer always is
non-NULL but after 7.3.306 this is no longer the case. Since I don't
think I'll be able to spot all places where this assumption is made I
decided against trying to write a patch and instead ask what to do
about this: revert 7.3.306 or try to fix all places in the code that
it breaks?
For reference I've pasted the backtrace from the crash below.
Björn
[1] http://code.google.com/p/macvim/issues/detail?id=395
#0 ml_get_buf (buf=0x0, lnum=1, will_change=0) at memline.c:2429
#1 0x000000010009de43 in plines_win_col (wp=0x100887c00, lnum=1,
column=18) at misc1.c:1811
#2 0x000000010013102d in win_new_height (wp=0x100887c00, height=1) at
window.c:5527
#3 0x00000001001312a9 in frame_new_height (topfrp=0x0, height=30,
topfirst=1606408672, wfh=1) at window.c:2682
#4 0x00000001001317f8 in frame_setheight (height=1606408752) at window.c:4967
#5 0x0000000100134345 in win_setheight_win (height=5459888,
win=0x411500000021) at window.c:4807
#6 0x0000000100056ff3 in do_cmdline (cmdline=0x7fff5fbfe180 "??_?",
fgetline=0x7fff5fbfe180, cookie=0x7fff5fbfe180, flags=1606410624) at
ex_docmd.c:2668
#7 0x0000000100039d1e in ex_execute (eap=0x7fff5fbfe820) at eval.c:20469
#8 0x0000000100056ff3 in do_cmdline (cmdline=0x7fff5fbfe910
"\020?_?", fgetline=0x7fff5fbfe910, cookie=0x7fff5fbfe910,
flags=1606412560) at ex_docmd.c:2668
#9 0x000000010002fae2 in call_user_func [inlined] () at src/eval.c:22199
#10 0x000000010002fae2 in call_func (funcname=0x1ffffffff <Address
0x1ffffffff out of bounds>, len=188080, rettv=0x7fff5fbfeb10,
argcount=1606413072, argvars=0x7fff5fbfeb10,
firstline=140734799801104, lastline=1, doesrange=0x7fff5fbfed6c,
evaluate=1, selfdict=0x10056e3b0) at eval.c:8365
#11 0x000000010003221f in get_func_tv (name=0x1005eccd0 "148",
len=1606413552, rettv=0x7fff5fbfecf0, arg=0x100000000,
firstline=140734799801584, lastline=140734799801584,
doesrange=0x7fff5fbfed6c, evaluate=1, selfdict=0x10056e3b0) at
eval.c:8207
#12 0x0000000100036fa6 in ex_call (eap=0x7fff5fbfedb0) at eval.c:3445
#13 0x0000000100056ff3 in do_cmdline (cmdline=0x7fff5fbff4d0 "???_?",
fgetline=0x7fff5fbff4d0, cookie=0x7fff5fbff4d0, flags=1606415568) at
ex_docmd.c:2668
#14 0x00000001000667c9 in apply_autocmds_group (event=4294967295,
fname=0x0, fname_io=0x7fff5fbff5b0 "???_?", force=0, group=1606415792,
buf=0x7fff5fbff5b0, eap=0x0) at fileio.c:9383
#15 0x0000000100066b3e in apply_autocmds (event=4294967295, fname=0x0,
fname_io=0x0, force=0, buf=0x1008c2a00) at fileio.c:8989
#16 0x0000000100013cf9 in edit (cmdchar=1606416096, startln=19,
count=140734799804128) at edit.c:951
#17 0x00000001000ad14a in invoke_edit [inlined] () at src/normal.c:9092
#18 0x00000001000ad14a in nv_edit (cap=0x41) at normal.c:9065
#19 0x00000001000b69f7 in normal_cmd (oap=0x41, toplevel=1606416320)
at normal.c:1193
#20 0x000000010013e8a5 in main_loop (cmdwin=0, noexmode=0) at main.c:1263
#21 0x00000001001414eb in main (argc=1, argv=0x0) at main.c:964
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
